Spoofing, phishing, spearphishing, boss phishing…the latest trend in data breaches may fall into a number of different categories, but it has something that other methods don’t have: it’s almost certain that the victim will fall for it. Why? Because his job could depend on it.
Here’s a better explanation. Many industry watchers and consumers are already familiar with the concepts of spoofing and phishing. A spoof email pretends to come from a known company or individual, such as an email that looks like it came from PayPal, telling you to click here to update your account. A phishing attempt entices you to click a link, make a payment, or any other odd behavior that benefits the scammer; these could be as simple as stating your account profile has to be updated or as involved in getting you to wire money to someone.
Either way, both of these types of scams trick you into doing something the scammer wants. And with more and more awareness of these types of attacks, they’re easier to spot and ignore.
But the newest wave of attacks to hit companies both big and small are combining these two styles of scamming attempts. Recipients get an email from a boss, supervisor, or even a company CEO, instructing them to hand over a password, change an account number, or send over all of the identifying information for the company’s employees. Since the email was spoofed to appear as though it came from the boss, the recipient does as he’s instructed.
The recent boss phishing attacks that affected Snapchat, Evening Post Industries, AmeriPride Services, Main Line Health, and several more were unlike the typical “Nigerian prince” emails that so many of us are used to receiving. The language in these emails is very standard and businesslike, and the requests are plausible. For example, asking a payroll employee to send over all of the company’s W2 forms to the boss, which recently happened to Snapchat, seems like a very likely request at this time of year. Even worse, the email appears to come from the person requesting it, so the instructions are less likely to be questioned.
While you may not be able to prevent an employee from falling for this type of scam and sending your stored information to an identity thief or scammer, there are some things you can do to keep your company safe. If you ever receive any request—logical or otherwise—to send highly sensitive data to someone who requests it, remember these two steps:
- Verify it with the person who requested it using the company-approved contact – Experts have long warned to hang up on any caller who asks you to make a payment over the phone or verify your identity by providing detailed information. Then, if you’re concerned there might actually be a problem with your account, you’re supposed to call the company back using a phone number that you verified.The same is true of boss phishing. If your supervisor emails you to send over any sensitive information or records, use an established contact method like a company inner-office message system or the telephone to verify that the request is genuine.
- Use a new email – Don’t hit Reply to this type of message. If you’re copy/pasting or attaching highly sensitive information, even if you verified it, it’s a good idea to initiate a new email with an approved email address. In the case of a boss phishing scam, hitting Reply would be sending the information back to the scammer who spoofed the boss’ account, but sending the information from a new email message would send it over to the legitimate contact.
It’s important to note that there’s a difference between spoofing the boss’ email account and actually taking it over. If the supervisor or CEO’s email account was actually hacked, then even a new email message would end up in the scammer’s hands. That’s why verifying the request (preferably through another means other than email) is a safe bet. If you call the boss and he knows nothing of the information request, there’s an excellent chance his email account was actually infiltrated instead of just spoofed.
Anyone can be a victim of identity theft, anyone can use our services and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.